How do I remove native permissions for Domain Admins to Create and or Modify GPOs?
NetIQ Group Policy Administrator 2.x
NetIQ Group Policy Administrator 3.0
NetIQ Group Policy Administrator 4.x
NetIQ Group Policy Administrator 5.0
The only way to remove the native permissions globally is to remove the users from the Domain Admins group. If this is not feasible, you can remove the Domain Admins group?s ability to modify GPOs on a GPO-by-GPO basis.
Refer to the following steps to remove the Domain Admins group?s ability to modify a GPO:
- Launch the NetIQ GPA GUI.
- Expand the domain and expand the desired GPO.
- Right-click Filters and select Adjust Filters.
- Select Domain Admins and uncheck Edit GPOsettings.
- Click OK.
A Domain Admin still has the ability to go back into a GPO and edit the ACL on it, thereby giving them permissions to modify the GPO again.
Note: If you use the repository functionality of GPA, in combination with Directory & Resource Administrator (DRA) delegation, you can remove a user from Domain Admins and delegate to them the functionality they need via DRA.